Bugtraq mailing list archives
Malformed vsprintf in bftpd
From: asynchro <asynchro () PKCREW ORG>
Date: Wed, 6 Dec 2000 19:11:58 +0100
There is a malformed vsprintf in bftpd 1.0.12 in function sendstrf: int sendstrf(int s, char *format, ...) { .... vsprintf(buffer, format, val); when the function is called from NLIST command: else foo = 1; sendstrf(s, entry->d_name); } This can be used to overflow the buffer of the vsprintf and execute arbitrary code. I don't think it can be normally used for a remote attack because bftpd removes all non-printable characters from input strings and so it is not possible to remotely put a shellcode in a filename. A dimostrative code is attached. asynchro () pkcrew org www.pkcrew.org
Attachment:
bf-code.c
Description:
Current thread:
- Malformed vsprintf in bftpd asynchro (Dec 07)